Drupal Multiblock 6.x-1.3 XSS Vulnerability

28 March 2012

Description of Vulnerability:

CVE: CVE-2012-2070

OSVDB: 80673

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Mulitblock module (https://drupal.org/project/multiblock) contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize block descriptions names before display.

Systems affected:

Drupal 6.22 with Multiblock 6.x-1.3 was tested and shown to be vulnerable

Impact

User could inject arbitrary scripts into pages affecting site users. This could result attackers taking control of site user web browsers or other client side attacks.

Mitigating factors:

In order to execute arbitrary script injection malicious users must have the ability to administer blocks.

Proof of concept exploit:

  1. Install and enable the Multiblock module
  2. Create a new block at ?q=admin/build/block/add, enter "<script>alert('xss');</script> for the description
  3. Create a new instance at ?q=admin/build/block/instances, select the block from #2 in the 'Block type' drop down
  4. Save the instance to view the persistent JavaScript at ?q=admin/build/block/instances

Vendor response:

SA-CONTRIB-2012-043 - MultiBlock - Cross Site Scripting (https://drupal.org/node/1506390) recommends upgrading to MutiBlock module 6.x-1.4, 7.x-1.1 or later.